Merge pull request #6399 from NlightNFotis/fix_6231

Allow checks to be performed inside quantifier statements.

Author: NlightNFotis

regression/cbmc-primitives/CMakeLists.txt

@@ -1,3 +1,11 @@
-add_test_pl_tests(
-    "$<TARGET_FILE:cbmc>"
-)
+find_program(Z3_EXISTS "z3")
+message(${Z3_EXISTS})
+if(Z3_EXISTS)
+    add_test_pl_tests(
+        "$<TARGET_FILE:cbmc>"
+    )
+else()
+    add_test_pl_tests(
+        "$<TARGET_FILE:cbmc>" -X smt-backend
+    )
+endif()

regression/cbmc-primitives/alternating_quantifiers_6231/exists_in_forall.c

@@ -0,0 +1,14 @@
+#include <stdlib.h>
+
+// clang-format off
+int main(int argc, char **argv)
+{
+    int *i = malloc(sizeof(int));
+    *i = 1;
+
+    __CPROVER_assert(
+        __CPROVER_forall { int z; (0 < z && z < 10) ==>
+            __CPROVER_exists { int y; ( 10 < y && y < 20) && y == z + 10 && y > *i } },
+        "for all z, there exists a y so that y = z + 10 and y > 1");
+}
+// clang-format on

regression/cbmc-primitives/alternating_quantifiers_6231/exists_in_forall.desc

@@ -0,0 +1,16 @@
+CORE
+exists_in_forall.c
+--pointer-check
+^EXIT=0$
+^SIGNAL=0$
+\[main\.assertion\.1\] line \d* for all z, there exists a y so that y = z \+ 10 and y > 1: SUCCESS
+\[main\.pointer_dereference\.7\] line \d+ dereference failure: pointer NULL in \*i: SUCCESS
+\[main\.pointer_dereference\.8\] line \d+ dereference failure: pointer invalid in \*i: SUCCESS
+\[main\.pointer_dereference\.9\] line \d+ dereference failure: deallocated dynamic object in \*i: SUCCESS
+\[main\.pointer_dereference\.10\] line \d+ dereference failure: dead object in \*i: SUCCESS
+\[main\.pointer_dereference\.11\] line \d+ dereference failure: pointer outside object bounds in \*i: SUCCESS
+\[main\.pointer_dereference\.12\] line \d+ dereference failure: invalid integer address in \*i: SUCCESS
+--
+--
+The assertion reference number here is present so that we make sure
+we always match the properties of the dereference inside the exists.

regression/cbmc-primitives/alternating_quantifiers_6231/forall_in_exists.c

@@ -0,0 +1,14 @@
+#include <stdlib.h>
+
+// clang-format off
+int main(int argc, char **argv)
+{
+    int *i = malloc(sizeof(int));
+    *i = 1;
+
+    __CPROVER_assert(
+        __CPROVER_exists { int z; (0 < z && z < 2) &&
+            __CPROVER_forall { int o; (10 < o && o < 20) ==> o > z && z == * i }},
+        "there exists a z between 0 and 2 so that for all o between 10 and 20, o > z and z = 1");
+}
+// clang-format on

regression/cbmc-primitives/alternating_quantifiers_6231/forall_in_exists.desc

@@ -0,0 +1,14 @@
+CORE
+forall_in_exists.c
+--pointer-check
+^EXIT=0$
+^SIGNAL=0$
+\[main\.assertion\.1\] line \d* there exists a z between 0 and 2 so that for all o between 10 and 20, o > z and z = 1: SUCCESS
+\[main\.pointer_dereference\.7\] line \d+ dereference failure: pointer NULL in \*i: SUCCESS
+\[main\.pointer_dereference\.8\] line \d+ dereference failure: pointer invalid in \*i: SUCCESS
+\[main\.pointer_dereference\.9\] line \d+ dereference failure: deallocated dynamic object in \*i: SUCCESS
+\[main\.pointer_dereference\.10\] line \d+ dereference failure: dead object in \*i: SUCCESS
+\[main\.pointer_dereference\.11\] line \d+ dereference failure: pointer outside object bounds in \*i: SUCCESS
+\[main\.pointer_dereference\.12\] line \d+ dereference failure: invalid integer address in \*i: SUCCESS
+--
+--

regression/cbmc-primitives/exists_assume_6231/test.c

@@ -0,0 +1,18 @@
+#include <stdlib.h>
+
+// clang-format off
+int main(int argc, char **argv)
+{
+    int *i = malloc(sizeof(int));
+    *i = 1;
+
+    // The exists inside the assume will evaluate to true,
+    // and be flipped by the negation in front of it, resulting
+    // to assume(false), which will allow the assertion to evaluate
+    // to true. 
+    __CPROVER_assume(
+        !__CPROVER_exists{int z; (z > 1 && z < 10) && z > *i}
+    );
+    __CPROVER_assert(0, "this assertion should be satified");
+}
+// clang-format on

regression/cbmc-primitives/exists_assume_6231/test.desc

@@ -0,0 +1,10 @@
+CORE
+test.c
+--pointer-check
+^EXIT=0$
+^SIGNAL=0$
+\[main\.assertion\.1\] line \d+ this assertion should be satified: SUCCESS
+^VERIFICATION SUCCESSFUL$
+--
+^warning: ignoring forall
+--

regression/cbmc-primitives/exists_assume_6231/test2.c

@@ -0,0 +1,16 @@
+#include <stdlib.h>
+
+// clang-format off
+int main(int argc, char **argv)
+{
+    int *i = malloc(sizeof(int));
+    *i = 1;
+
+    // The exists inside the assume will evaluate to true,
+    // and as such, the assertion below will fail as expected.
+    __CPROVER_assume(
+        __CPROVER_exists{int z; (z > 1 && z < 10) && z > *i}
+    );
+    __CPROVER_assert(0, "this should come out as failure");
+}
+// clang-format on

regression/cbmc-primitives/exists_assume_6231/test2.desc

@@ -0,0 +1,10 @@
+CORE
+test2.c
+--pointer-check
+^EXIT=10$
+^SIGNAL=0$
+\[main\.assertion\.1\] line \d+ this should come out as failure: FAILURE
+^VERIFICATION FAILED$
+--
+^warning: ignoring forall
+--

regression/cbmc-primitives/exists_memory_checks/invalid_index_range.c

@@ -0,0 +1,13 @@
+#include <assert.h>
+#include <stdlib.h>
+
+int main()
+{
+  int *a = calloc(10, sizeof(int));
+  a[5] = 25;
+
+  assert(__CPROVER_exists {
+    int i;
+    (0 <= i && i < 20) && a[i] == i *i
+  });
+}